Slackware 8.1 & Iptables Help
 

I have done some lurking here and there along with ALOT of reading to no avail thus far.

Currently running a Slack 8.1 box as a firewall/email. It was in place before I arrived and has done a great job. It has webmin installed and is where I have done most/all configs up to this point. There is not a place to configure iptables so I fired up ssh and went to work.

What I would like to happen:To access an internal device from outide the lan.

The problem I have is that no matter what I do, I cannot get to it. Connection Refused!!

I am using ssh/telnet while @ work and am fine. It is a NAT configuration w/1 public ip mapped to many private ip's inside.

While on the LAN, you can access the device via a web browser, 192.168.xxx.xxx w/o entering a port number. So I am going to assume it is port 80.

I did the following w/no luck.

iptables -A FORWARD -p tcp -d 192.168.xxx.xxx --destination-port 80 -j ACCEPT

No luck, then added;

iptables -A INPUT -p tcp -d 192.168.xxx.xxx --destination-port 80 -j ACCEPT

Still no luck. I have since flushed the tables and it's running just fine. As stated never any problems with it, just want to add some functionality.

I am @ a loss. I would greatly appreciate anyone can give me on the matter.

Thanks in advance.

Slackware 8.1 & Iptables Help
 

I am assuming you wanted to run httpd from another box other than the one serving as your gatway. In this case, I would do it in the PREROUTING table. where:

iptables -t nat -A PREROUTING -p tcp -d <YOUR PUBLIC IP> --dport 80 -j DNAT --to-destination 192.168.x.x:80

Depending on the rules in your FORWARD table, you should be just fine.

If in case you wanted to allow httpd of your gateway to serve pages to the internet, then just open up port 80 in the INPUT table and allow established/related in the OUTPUT table.

I had flushed the exisiting rules...just to error on the side of caution. So nothing was interferring w/the new rule.

You are correct on assuming the http service is on a machine inside the lan. Not on the gateway/firewall itself.

Still nothing..I have tried sooo many things...I am just lost/confused.

Should be fairly simple..

:confused:

Something else I don't understand.

I can list my tables via iptables -L and see Input/Forward/Output and the rules. None in Forward or Output.

For Input

Accept all any source and any destination state related/established.
Accept all any source and any deistantion state new.

I don't understand what PREROUTING/POSTROUTING and NAT reference to. I understand what NAT does, but what is it modifying?

I did the PREROUTING rule earlier in this thread and it does not show?

Could someone please shed some light on this.

Thanks in advance.
:cool:

If someone could help me understand what these rules mean.

Flush Iptable chains w/ -F
Flush Nat tables w/ -F
?
?
?
?
?

Thanks. Looking for a better understanding of the organization.
:cool:

I added this before the POSTROUTING rule.

Still doesn't seem to work...

:confused:

:confused:

Siadam,
Have you heard about 'curiosity killed the cat' saying ????

Anyways..

Let me clarify few point which may help you understanding the whole idea.
1. In iptables we have INPUT, OUTPUT chains for LOCAL BOX related firewalling & PREROUTING, POSTROUTING, FORWARD chain for NATing related packets.
2. Whenever anything which is being forwarded(NATed) to some other box(not your local, LAN hosted or to any other) it has nothing to do with INPUT & OUTPUT Chain.
3. RULES LISTING: iptables -t nat -nvL // will list you your nating rules.
& iptables -nvL // will list your INPUT,OUTPUT & FORWARD rules.
4. There's a FORWARD chain in iptables which stand b/w PREROUTING & POSTROUTING & you LAN. So you should always make sure that there's nothing in FORWARD chain tht's blocking your NATed packets to traverse through.
5. Above all you should also make sure that you make your linux box is actually acting as a ROUTER/IP_FORWARDER. Try cat /proc/sys/net/ipv4/ip_forward to see if it is 1 (means it is working as a router. Otherwise we got to change it to 1.
6. Nated packets always find their way back on their own. So we are not supposed to specify a Reverse DNating (SNATing) while we NAT packets.

If making your LAN hosted webserver available to internet is the only concern then follow these steps;
1. For flushing all the rules (first rule flushes rules from INPUT,OUTPUT & FORWARD Chain, Second rule flushes rules from table nat & third rule flushes rules from table magle)
iptables -F
iptables -t nat -F
iptables -t mangle -F
2. echo 1 > /proc/sys/net/ipv4/ip_forward
2. iptables -t nat -A PREROUTING -p tcp -d <YOUR PUBLIC IP> --dport 80 -j DNAT --to-destination 192.168.x.x:80
3. Make sure that 192.168.x.x box should set this FIREWALL box as its gateway.

Thats it. Try Now.... Please be aware that you cannot checkback the implementation of these rules browsing from this box only; Either you got to use some publicproxyserver or ask some friend of yours to checkback it.

It will work or repost.. with the output of

I am not quite sure what you mean by that? Maybe you can elaborate. If you think I am just "playing around" for the sake of screwing off you are incorrect. I actually have a project I am trying to complete and I am unfamiliar w/Iptables. I know whatever changes I make are wiped clean if I am forced to restart the machine, so I feel I can take a few chances to see what happens.

I do greatly appreciate the help. I have learned so much from the past week after reading/reading/reading and more reading. Not sure if I feel more comfortable or not, as alot of the information has become convoluted.

I will try what you suggested and be posting back soon.

Again thanks for the help, greatly Appreciated.
:cool:

This box is a router, thus after issuing the command it returns a 1.

Basically it is as follows.

Net cloud --> eth0(public IP) /SlackBox/ --> eth1 (private IP) --> LAN --> device I need access to.

:cool:

Bump, this forum moves fast.
:cool:

Outputs from the following.

iptables -nvL &

iptables -t nat -nvL &

ip rou ls
Command not found.

:cool:

You are only having a single POSTROUTING (SNATing) command under table nat for internet access to your LAN.
Why didnt you run the PREROUTING command ?

Add these two iptables PREROUTING+POSTROUTING rules in your 5th post's script & run.
*With firewall-box-lan-ip, i mean the ip of the box on which this script would be running.

Modify the above two lines for proper ip addresses & then add them to your script. Run that script, cross check with #iptables -t nat -nvL, as you'll see one rule under PREROUTING chain & one more (in all that would make two) under POSTROUTING chain.

If you do it this way, exactly... it will work. You can only verify whether asking any friend of yours or using any public proxy servers for the working of this script.

You can also read more about NATing, iptables port forwarding @ http://amitsharma.linuxbloggers.com/portforwarding.htm

I did, but not before I listed the ruleset and posted them. I wanted you to see what I am
working with. I have yet to try to see if it works. I am in the process of setting up a
sprint wifi card so I can aquire an outside ip and try it that way for testing
purposes, instead of going home and trying there.

I will keep you all updated.

Again THANKS for the help!
:cool: